Search in sources :

Example 1 with PrivateResourceIamRoles

use of bio.terra.workspace.model.PrivateResourceIamRoles in project terra-workspace-manager by DataBiosphere.

the class PrivateControlledGcsBucketLifecycle method doUserJourney.

@Override
public void doUserJourney(TestUserSpecification testUser, WorkspaceApi workspaceApi) throws Exception {
    String projectId = CloudContextMaker.createGcpCloudContext(getWorkspaceId(), workspaceApi);
    ControlledGcpResourceApi workspaceOwnerResourceApi = ClientTestUtils.getControlledGcpResourceClient(testUser, server);
    ControlledGcpResourceApi privateUserResourceApi = ClientTestUtils.getControlledGcpResourceClient(privateResourceUser, server);
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(workspaceReader.userEmail), getWorkspaceId(), IamRole.READER);
    logger.info("Added {} as a reader to workspace {}", workspaceReader.userEmail, getWorkspaceId());
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(privateResourceUser.userEmail), getWorkspaceId(), IamRole.WRITER);
    logger.info("Added {} as a writer to workspace {}", privateResourceUser.userEmail, getWorkspaceId());
    // Create a private bucket, which privateResourceUser assigns to themselves.
    // Cloud IAM permissions may take several minutes to sync, so we retry this operation until
    // it succeeds.
    CreatedControlledGcpGcsBucket bucket = ClientTestUtils.getWithRetryOnException(() -> createPrivateBucket(privateUserResourceApi));
    UUID resourceId = bucket.getResourceId();
    // Retrieve the bucket resource from WSM
    logger.info("Retrieving bucket resource id {}", resourceId.toString());
    GcpGcsBucketResource gotBucket = privateUserResourceApi.getBucket(getWorkspaceId(), resourceId);
    String bucketName = gotBucket.getAttributes().getBucketName();
    assertEquals(bucket.getGcpBucket().getAttributes().getBucketName(), bucketName);
    // Assert the bucket is assigned to privateResourceUser, even though resource user was
    // not specified
    assertEquals(privateResourceUser.userEmail, gotBucket.getMetadata().getControlledResourceMetadata().getPrivateResourceUser().getUserName());
    try (GcsBucketAccessTester tester = new GcsBucketAccessTester(privateResourceUser, bucketName, projectId)) {
        tester.checkAccessWait(privateResourceUser, ControlledResourceIamRole.EDITOR);
        // workspace owner can do nothing
        tester.checkAccess(testUser, null);
        tester.checkAccess(workspaceReader, null);
    }
    // Any workspace user should be able to enumerate all buckets, even though they can't access
    // their contents.
    ResourceApi readerApi = ClientTestUtils.getResourceClient(workspaceReader, server);
    ResourceList bucketList = readerApi.enumerateResources(getWorkspaceId(), 0, 5, ResourceType.GCS_BUCKET, StewardshipType.CONTROLLED);
    assertEquals(1, bucketList.getResources().size());
    MultiResourcesUtils.assertResourceType(ResourceType.GCS_BUCKET, bucketList);
    // Workspace owner has DELETER role and can delete the bucket through WSM
    var ownerDeleteResult = deleteBucket(workspaceOwnerResourceApi, resourceId);
    ClientTestUtils.assertJobSuccess("owner delete bucket", ownerDeleteResult.getJobReport(), ownerDeleteResult.getErrorReport());
    // verify the bucket was deleted from WSM metadata
    ApiException bucketIsMissing = assertThrows(ApiException.class, () -> workspaceOwnerResourceApi.getBucket(getWorkspaceId(), resourceId), "Incorrectly found a deleted bucket!");
    assertEquals(HttpStatusCodes.STATUS_CODE_NOT_FOUND, bucketIsMissing.getCode());
    // also verify it was deleted from GCP
    Storage ownerStorageClient = ClientTestUtils.getGcpStorageClient(testUser, projectId);
    Bucket maybeBucket = ownerStorageClient.get(bucketName);
    assertNull(maybeBucket);
    // TODO: PF-1218 - change these to negative tests - should error - when
    // the ticket is complete. These exercise two create cases with currently
    // valid combinations of private user.
    PrivateResourceIamRoles roles = new PrivateResourceIamRoles();
    roles.add(ControlledResourceIamRole.READER);
    // Supply all private user parameters
    PrivateResourceUser privateUserFull = new PrivateResourceUser().userName(privateResourceUser.userEmail).privateResourceIamRoles(roles);
    CreatedControlledGcpGcsBucket userFullBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
    assertNotNull(userFullBucket.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, userFullBucket.getResourceId());
    // Supply just the roles, but no email
    PrivateResourceUser privateUserNoEmail = new PrivateResourceUser().userName(null).privateResourceIamRoles(roles);
    CreatedControlledGcpGcsBucket userNoEmailBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserNoEmail);
    assertNotNull(userNoEmailBucket.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, userNoEmailBucket.getResourceId());
    String uniqueBucketName = String.format("terra_%s_bucket", UUID.randomUUID().toString().replace("-", "_"));
    CreatedControlledGcpGcsBucket bucketWithBucketNameSpecified = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    uniqueBucketName, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
    assertEquals(uniqueBucketName, bucketWithBucketNameSpecified.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, bucketWithBucketNameSpecified.getResourceId());
}
Also used : GrantRoleRequestBody(bio.terra.workspace.model.GrantRoleRequestBody) PrivateResourceUser(bio.terra.workspace.model.PrivateResourceUser) GcsBucketAccessTester(scripts.utils.GcsBucketAccessTester) GcpGcsBucketResource(bio.terra.workspace.model.GcpGcsBucketResource) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ResourceList(bio.terra.workspace.model.ResourceList) Storage(com.google.cloud.storage.Storage) Bucket(com.google.cloud.storage.Bucket) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) UUID(java.util.UUID) PrivateResourceIamRoles(bio.terra.workspace.model.PrivateResourceIamRoles) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) ApiException(bio.terra.workspace.client.ApiException)

Example 2 with PrivateResourceIamRoles

use of bio.terra.workspace.model.PrivateResourceIamRoles in project terra-workspace-manager by DataBiosphere.

the class ControlledApplicationPrivateGcsBucketLifecycle method testAssignedReader.

private void testAssignedReader(ControlledGcpResourceApi resourceApi, String projectId) throws Exception {
    PrivateResourceIamRoles iamRoles = new PrivateResourceIamRoles();
    iamRoles.add(ControlledResourceIamRole.READER);
    PrivateResourceUser privateUser = new PrivateResourceUser().privateResourceIamRoles(iamRoles).userName(writer.userEmail);
    String bucketResourceName = RandomStringUtils.random(6, true, false);
    CreatedControlledGcpGcsBucket createdBucket = GcsBucketUtils.makeControlledGcsBucketAppPrivate(resourceApi, getWorkspaceId(), bucketResourceName, CloningInstructionsEnum.NOTHING, privateUser);
    bucketName = createdBucket.getGcpBucket().getAttributes().getBucketName();
    assertNotNull(bucketName);
    logger.info("Created assigned-reader bucket {}", bucketName);
    try (GcsBucketAccessTester tester = new GcsBucketAccessTester(wsmapp, bucketName, projectId)) {
        tester.checkAccess(wsmapp, ControlledResourceIamRole.EDITOR);
        tester.checkAccess(reader, null);
        tester.checkAccess(writer, ControlledResourceIamRole.READER);
    }
    deleteBucket(resourceApi, createdBucket);
}
Also used : PrivateResourceUser(bio.terra.workspace.model.PrivateResourceUser) PrivateResourceIamRoles(bio.terra.workspace.model.PrivateResourceIamRoles) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) GcsBucketAccessTester(scripts.utils.GcsBucketAccessTester)

Example 3 with PrivateResourceIamRoles

use of bio.terra.workspace.model.PrivateResourceIamRoles in project terra-cli by DataBiosphere.

the class WorkspaceManagerService method createCommonFields.

/**
 * Create a common fields WSM object from a Resource that is being used to create a controlled
 * resource.
 */
private static ControlledResourceCommonFields createCommonFields(CreateResourceParams createParams) {
    ControlledResourceCommonFields commonFields = new ControlledResourceCommonFields().name(createParams.name).description(createParams.description).cloningInstructions(createParams.cloningInstructions).accessScope(createParams.accessScope).managedBy(ManagedBy.USER);
    if (createParams.accessScope == AccessScope.PRIVATE_ACCESS) {
        // since private resources cannot be reassigned, it never makes sense to have less than full
        // access to the resource, so add all possible IAM roles here.
        PrivateResourceIamRoles privateResourceIamRoles = new PrivateResourceIamRoles();
        privateResourceIamRoles.add(ControlledResourceIamRole.READER);
        privateResourceIamRoles.add(ControlledResourceIamRole.WRITER);
        privateResourceIamRoles.add(ControlledResourceIamRole.EDITOR);
        commonFields.privateResourceUser(new PrivateResourceUser().userName(Context.requireUser().getEmail()).privateResourceIamRoles(privateResourceIamRoles));
    }
    return commonFields;
}
Also used : ControlledResourceCommonFields(bio.terra.workspace.model.ControlledResourceCommonFields) PrivateResourceUser(bio.terra.workspace.model.PrivateResourceUser) PrivateResourceIamRoles(bio.terra.workspace.model.PrivateResourceIamRoles)

Example 4 with PrivateResourceIamRoles

use of bio.terra.workspace.model.PrivateResourceIamRoles in project terra-workspace-manager by DataBiosphere.

the class ControlledApplicationPrivateGcsBucketLifecycle method testAssignedWriter.

private void testAssignedWriter(ControlledGcpResourceApi resourceApi, String projectId) throws Exception {
    PrivateResourceIamRoles iamRoles = new PrivateResourceIamRoles();
    iamRoles.add(ControlledResourceIamRole.WRITER);
    PrivateResourceUser privateUser = new PrivateResourceUser().privateResourceIamRoles(iamRoles).userName(reader.userEmail);
    String bucketResourceName = RandomStringUtils.random(6, true, false);
    CreatedControlledGcpGcsBucket createdBucket = GcsBucketUtils.makeControlledGcsBucketAppPrivate(resourceApi, getWorkspaceId(), bucketResourceName, CloningInstructionsEnum.NOTHING, privateUser);
    bucketName = createdBucket.getGcpBucket().getAttributes().getBucketName();
    assertNotNull(bucketName);
    logger.info("Created assigned-writer bucket {}", bucketName);
    try (GcsBucketAccessTester tester = new GcsBucketAccessTester(wsmapp, bucketName, projectId)) {
        tester.checkAccess(wsmapp, ControlledResourceIamRole.EDITOR);
        tester.checkAccess(writer, null);
        tester.checkAccess(reader, ControlledResourceIamRole.WRITER);
    }
    deleteBucket(resourceApi, createdBucket);
}
Also used : PrivateResourceUser(bio.terra.workspace.model.PrivateResourceUser) PrivateResourceIamRoles(bio.terra.workspace.model.PrivateResourceIamRoles) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) GcsBucketAccessTester(scripts.utils.GcsBucketAccessTester)

Aggregations

PrivateResourceIamRoles (bio.terra.workspace.model.PrivateResourceIamRoles)4 PrivateResourceUser (bio.terra.workspace.model.PrivateResourceUser)4 CreatedControlledGcpGcsBucket (bio.terra.workspace.model.CreatedControlledGcpGcsBucket)3 GcsBucketAccessTester (scripts.utils.GcsBucketAccessTester)3 ControlledGcpResourceApi (bio.terra.workspace.api.ControlledGcpResourceApi)1 ResourceApi (bio.terra.workspace.api.ResourceApi)1 ApiException (bio.terra.workspace.client.ApiException)1 ControlledResourceCommonFields (bio.terra.workspace.model.ControlledResourceCommonFields)1 GcpGcsBucketResource (bio.terra.workspace.model.GcpGcsBucketResource)1 GrantRoleRequestBody (bio.terra.workspace.model.GrantRoleRequestBody)1 ResourceList (bio.terra.workspace.model.ResourceList)1 Bucket (com.google.cloud.storage.Bucket)1 Storage (com.google.cloud.storage.Storage)1 UUID (java.util.UUID)1